Banks' Crypto Permit Not as Free as It Looks

Share

Banks' Crypto Permit Not as Free as It Looks

When the Commerce Department on Thursday gave its blessing to the export of the strongest available encryption products for electronic banking and finance, the Clinton administration wasn't really giving any ground on its stance on key recovery.

That's because the likely customers for these products - banks and financial institutions - are already subject to tough rules when it comes to tracking transactions and accounts to individuals. And these institutions are legally bound to share this information with the authorities.

Given the scope of current regulation, the Commerce Department's key recovery requirement would only be duplicative, a department spokesperson said.

That's why banks have been allowed to export government-approved Data Encryption Standard technology since the early 1980s. And that's why they'll now be able to use stronger encryption to secure transactions, including account and credit card numbers. The government standard has a fixed-key length of 56 bits; encryption being readied for electronic commerce such as Secure Electronic Transaction can have keys of 1,024 bits and longer. It is assumed that it would take years and enormous computing power to crack the longer keys.

In remarks Thursday before a Washington gathering of the American Bankers Association, Undersecretary William Reinsch outlined the plan which gives banks the ability to export direct-home-banking products with encryption keys of unlimited length. However, if a commercial software company - and not the bank - develops the banking product, the program must meet the administration's requirement for a key-recovery plan.

Key recovery provides a "back door" that allows third parties to open and read electronic transmissions such as email. Under the administration's plan, these keys would be stored with government-sanctioned escrow agents such as Trusted Information Systems, a computer security firm, or Bankers Trust, a bank holding company. With these keys, police, prosecutors, and spy agencies with court orders can get access to any message or document.

But privacy advocates distrust this system. To organizations like the Electronic Privacy Information Center, key recovery is no different from the administration's plans for government access under the failed Clipper initiatives.

And given the current level of regulation, exempting the financial institutions from the key-recovery requirements represents a mere "fig leaf of a concession" on administration policy, said Dave Banisar, EPIC staff counsel.

Developers have their own concerns about the Commerce Department announcement - namely, that by telling companies seeking to sell electronic commerce software to banks that they must include key escrow in their products, the administration is playing too prominent a role in the process.

Companies such as Hewlett-Packard which support key escrow prefer to implement it in products where it makes business sense for them to do so, said Fred Mailman, the company's regulatory manager. Mailman is worried that the door may now be open for the government to tell companies what product families will have key recovery instead of the companies choosing themselves.

While companies sort this out, the pressure on the industry to capitulate to the administration's key recovery plan increases, Mailman said.